| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
|
|
|
|
|
|
The changes cherry picked in 0149ee13d51b48d77fbbaa5c1109036332a5577c
rely on k5calloc(), which is not present in the 1.11 branch.
Compensate by using calloc() instead.
ticket: 8102
version_fixed: 1.11.6
status: resolved
|
|
In two of the kinit tests run by t_skew.py, we expect kinit to exit
before reading the password. If we supply a password input for those
commands, we can fail with a broken pipe exception if the master
process tries to write the password after the slave process exits.
Also correctly check the output of the last kinit invocation.
(cherry picked from commit 2457bf66c466321dd36cd3c76bc36bb589d31587)
ticket: 8147 (new)
version_fixed: 1.11.6
status: resolved
|
|
(cherry picked from commit 49f8ec5975df3cb5f204444df2a284b2e662df85)
ticket: 8146 (new)
version_fixed: 1.11.6
status: resolved
|
|
The remote kadmin client would not parse the "-norandkey" option to
the ktadd subcommand, terminating option parsing and possibly causing
options to be interpreted as principal names.
(cherry picked from commit 13e9694b17945d43d0cfc203b2645204f2d87086)
ticket: 8148 (new)
version_fixed: 1.11.6
status: resolved
|
|
In init_creds_step_reply, if we get an error storing output
credentials, do set ctx->complete (since retrieving creds or times
will work at this point) but don't suppress the error code.
(cherry picked from commit feeddfb78ca5de066a509b6be8551d036e0f2c8a)
ticket: 8145 (new)
version_fixed: 1.11.6
status: resolved
|
|
In copy_creds_except, call krb5_cc_end_seq_get so we don't leak the
ccache cursor.
(cherry picked from commit 62894f854daa8251554376b6b6810fd0e9fecb7f)
ticket: 8144 (new)
version_fixed: 1.11.6
status: resolved
|
|
Use modern enctypes for values of master_key_type and
supported_enctypes in the example kdc.conf in kdc_conf.rst.
(cherry picked from commit 3eeb1a7eaa6757502d73944b7694405cdd571e1c)
ticket: 8143 (new)
version_fixed: 1.11.6
status: resolved
|
|
In krb5_ldap_get_password_policy_from_dn, if LDAP_SEARCH returns
successfully with no results, return KRB5_KDB_NOENTRY instead of
returning success with a zeroed-out policy object. This fixes a null
dereference when an admin attempts to use an LDAP ticket policy name
as a password policy name.
CVE-2014-5353:
In MIT krb5, when kadmind is configured to use LDAP for the KDC
database, an authenticated remote attacker can cause a NULL dereference
by attempting to use a named ticket policy object as a password policy
for a principal. The attacker needs to be authenticated as a user who
has the elevated privilege for setting password policy by adding or
modifying principals.
Queries to LDAP scoped to the krbPwdPolicy object class will correctly
not return entries of other classes, such as ticket policy objects, but
may return success with no returned elements if an object with the
requested DN exists in a different object class. In this case, the
routine to retrieve a password policy returned success with a password
policy object that consisted entirely of zeroed memory. In particular,
accesses to the policy name will dereference a NULL pointer. KDC
operation does not access the policy name field, but most kadmin
operations involving the principal with incorrect password policy
will trigger the crash.
Thanks to Patrik Kis for reporting this problem.
CVSSv2 Vector: AV:N/AC:M/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C
[kaduk@mit.edu: CVE description and CVSS score]
(cherry picked from commit d1f707024f1d0af6e54a18885322d70fa15ec4d3)
(cherry picked from commit 0a97ce4411b34e871ae503b78eedf61db27180ea)
ticket: 8142 (new)
version_fixed: 1.11.6
status: resolved
|
|
In profile_iterator(), return PROF_MAGIC_ITERATOR if *iter_p is NULL,
instead of dereferencing a null pointer, as we did prior to 1.10.
Correct calling code will not trigger this case, but incorrect code
has been reported in the field.
(cherry picked from commit 9a343200d305e7c8df6e556d63afaee42194175f)
ticket: 8141 (new)
version_fixed: 1.11.6
status: resolved
|
|
This function is already present in gssapi_ext.h, but without
exporting it, a link error will be produced every time it is used.
(cherry picked from commit 266cce14ee39f6d11b186ee988cffd0c2a119f3d)
ticket: 8140 (new)
version_fixed: 1.11.6
status: resolved
|
|
(back ported from commit c0778ab2252ece4c3510788d9b72f7f5e3bb05dd)
ticket: 8122
version_fixed: 1.11.6
status: resolved
|
|
If the canonicalize flag is set, the MIT KDC always return the client
principal when KRB5_KDC_ERR_C_PRICIPAL_UNKNOWN is returned.
Check that this is really a referral by testing that the returned
client realm differs from the requested one.
[ghudson@mit.edu: simplified and narrowed is_referral() contract.
Note that a WRONG_REALM response with e-data or FAST error padata
could now be passed through k5_preauth_tryagain() if it has an empty
crealm or a crealm equal to the requested client realm. Such a
response is unexpected in practice and there is nothing dangerous
about handling it this way.]
(cherry picked from commit d5755694b620570defeecee772def90a2733c6cc)
ticket: 8122 (new)
subject: kinit -C loops chasing realm referrals against MIT KDC
version_fixed: 1.11.6
status: resolved
|
|
[MITKRB5-SA-2015-001] In svcauth_gss_accept_sec_context(), do not copy
bytes from the union context into the handle field we send to the
client. We do not use this handle field, so just supply a fixed
string of "xxxx".
In gss_union_ctx_id_struct, remove the unused "interposer" field which
was causing part of the union context to remain uninitialized.
(cherry picked from commit 5bb8a6b9c9eb8dd22bc9526751610aaa255ead9c)
ticket: 8076 (new)
version_fixed: 1.11.6
status: resolved
|
|
[MITKRB5-SA-2015-001] In kadmind's check_rpcsec_auth(), use
data_eq_string() instead of strncmp() to check components of the
server principal, so that we don't erroneously match left substrings
of "kadmin", "history", or the realm.
(cherry picked from commit 6609658db0799053fbef0d7d0aa2f1fd68ef32d8)
ticket: 8075 (new)
version_fixed: 1.11.6
status: resolved
|
|
[MITKRB5-SA-2015-001] In auth_gssapi_unwrap_data(), do not free
partial deserialization results upon failure to deserialize. This
responsibility belongs to the callers, svctcp_getargs() and
svcudp_getargs(); doing it in the unwrap function results in freeing
the results twice.
In xdr_krb5_tl_data() and xdr_krb5_principal(), null out the pointers
we are freeing, as other XDR functions such as xdr_bytes() and
xdr_string().
(cherry picked from commit a197e92349a4aa2141b5dff12e9dd44c2a2166e3)
ticket: 8074 (new)
version_fixed: 1.11.6
status: resolved
|
|
[MITKRB5-SA-2015-001] The krb5 gss_process_context_token() should not
actually delete the context; that leaves the caller with a dangling
pointer and no way to know that it is invalid. Instead, mark the
context as terminated, and check for terminated contexts in the GSS
functions which expect established contexts. Also add checks in
export_sec_context and pseudo_random, and adjust t_prf.c for the
pseudo_random check.
(back ported from commit 82dc33da50338ac84c7b4102dc6513d897d0506a)
ticket: 8073 (new)
version_fixed: 1.11.6
status: resolved
|
|
|
|
Directly accessing the result field of Tcl_Interp has been deprecated
for a long time, requires a special define in Tcl 8.6, and will be
impossible in Tcl 9. Use Tcl_SetResult instead. The new error
messages are less helpful than the old ones, but this is just support
infrastructure for old tests, so it isn't important.
(cherry picked from commit b63496d7b44f090ea5d300dc09b4fc043138ae38)
ticket: 8121 (new)
version_fixed: 1.11.6
status: resolved
|
|
For principal entries having keys with multiple kvnos (due to use of
-keepold), the LDAP KDB module makes an attempt to store all the keys
having the same kvno into a single krbPrincipalKey attribute value.
There is a fencepost error in the loop, causing currkvno to be set to
the just-processed value instead of the next kvno. As a result, the
second and all following groups of multiple keys by kvno are each
stored in two krbPrincipalKey attribute values. Fix the loop to use
the correct kvno value.
CVE-2014-4345:
In MIT krb5, when kadmind is configured to use LDAP for the KDC
database, an authenticated remote attacker can cause it to perform an
out-of-bounds write (buffer overrun) by performing multiple cpw
-keepold operations. An off-by-one error while copying key
information to the new database entry results in keys sharing a common
kvno being written to different array buckets, in an array whose size
is determined by the number of kvnos present. After sufficient
iterations, the extra writes extend past the end of the
(NULL-terminated) array. The NULL terminator is always written after
the end of the loop, so no out-of-bounds data is read, it is only
written.
Historically, it has been possible to convert an out-of-bounds write
into remote code execution in some cases, though the necessary
exploits must be tailored to the individual application and are
usually quite complicated. Depending on the allocated length of the
array, an out-of-bounds write may also cause a segmentation fault
and/or application crash.
CVSSv2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C
[ghudson@mit.edu: clarified commit message]
[kaduk@mit.edu: CVE summary, CVSSv2 vector]
(cherry picked from commit 81c332e29f10887c6b9deb065f81ba259f4c7e03)
ticket: 8120 (new)
version_fixed: 1.11.6
status: resolved
|
|
(cherry picked from commit 18333f731b8cb3b4610b1d623caef9347c785f7b)
ticket: 8119 (new)
version_fixed: 1.11.6
status: resolved
|
|
profile_rename_section should demand only one name.
profile_add_relation should demand only one name if it is creating a
new section. It aso needs to reset state before calling
profile_find_node for the section, in case it didn't look up any
parent sections previously.
(cherry picked from commit 590df2f41f84e0f9492e08f7dbd26fbcd3118ea0)
ticket: 8118 (new)
version_fixed: 1.11.6
status: resolved
|
|
In profile_find_node, skip deleted nodes when finding the second
match. Otherwise, profile_clear_nodes could return an error if a node
has some values to clear but the last one is deleted.
In profile_node_iterator, skip deleted nodes when looking up the
section names. Otherwise we could iterate over a deleted section
and/or ignore its replacement.
(cherry picked from commit e7f50a1c11845ba73ce4ffa4729d10113563a247)
ticket: 8117 (new)
version_fixed: 1.11.6
status: resolved
|
|
The built-in word list is not long enough for all of the libdb2 tests
to run properly. Revert d21a86e47a7cda29225013e08d060095b94b2ee7 and
go back to using the system dictionary if we find one. However, omit
any lines from the chosen word list which contain non-alphabetical
characters.
(cherry picked from commit dba768e873d3ae34cfb2ff9d9c2d3644981f23a5)
ticket: 8116
version_fixed: 1.11.6
status: resolved
|
|
The optimizer in gcc 4.8.1 (but not the current gcc head revision)
breaks the queue.h CIRCLEQ macros, apparently due to an overzealous
strict aliasing deduction. Use TAILQ macros in the libdb2 mpool code
instead.
(cherry picked from commit 26d874412983c4c9979a9f5e7bec51834ad4cda5)
ticket: 8116 (new)
version_fixed: 1.11.6
status: resolved
|
|
docutils 0.10 properly adds indentation to example blocks in man
pages, so we do not need to force an extra indentation level. Get rid
of the workaround wherever we use it.
(back ported from 4bd50f73c80a86852ec0879abdf52202be40892b)
(back ported from commit 1ac533f132539513916aafccd0e159cb2687ad08)
ticket: 8115 (new)
version_fixed: 1.11.6
status: resolved
|
|
When processing a continuation token, acc_ctx_cont was dereferencing
the initial byte of the token without checking the length. This could
result in a null dereference.
CVE-2014-4344:
In MIT krb5 1.5 and newer, an unauthenticated or partially
authenticated remote attacker can cause a NULL dereference and
application crash during a SPNEGO negotiation by sending an empty
token as the second or later context token from initiator to acceptor.
The attacker must provide at least one valid context token in the
security context negotiation before sending the empty token. This can
be done by an unauthenticated attacker by forcing SPNEGO to
renegotiate the underlying mechanism, or by using IAKERB to wrap an
unauthenticated AS-REQ as the first token.
CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
[kaduk@mit.edu: CVE summary, CVSSv2 vector]
(cherry picked from commit 524688ce87a15fc75f87efc8c039ba4c7d5c197b)
ticket: 8114 (new)
subject: NULL dereference in SPNEGO acceptor for continuation tokens [CVE-2014-4344]
version_fixed: 1.11.6
status: resolved
|
|
In commit cd7d6b08 ("Verify acceptor's mech in SPNEGO initiator") the
pointer sc->internal_mech became an alias into sc->mech_set->elements,
which should be considered constant for the duration of the SPNEGO
context. So don't free it.
CVE-2014-4343:
In MIT krb5 releases 1.10 and newer, an unauthenticated remote
attacker with the ability to spoof packets appearing to be from a
GSSAPI acceptor can cause a double-free condition in GSSAPI initiators
(clients) which are using the SPNEGO mechanism, by returning a
different underlying mechanism than was proposed by the initiator. At
this stage of the negotiation, the acceptor is unauthenticated, and
the acceptor's response could be spoofed by an attacker with the
ability to inject traffic to the initiator.
Historically, some double-free vulnerabilities can be translated into
remote code execution, though the necessary exploits must be tailored
to the individual application and are usually quite
complicated. Double-frees can also be exploited to cause an
application crash, for a denial of service. However, most GSSAPI
client applications are not vulnerable, as the SPNEGO mechanism is not
used by default (when GSS_C_NO_OID is passed as the mech_type argument
to gss_init_sec_context()). The most common use of SPNEGO is for
HTTP-Negotiate, used in web browsers and other web clients. Most such
clients are believed to not offer HTTP-Negotiate by default, instead
requiring a whitelist of sites for which it may be used to be
configured. If the whitelist is configured to only allow
HTTP-Negotiate over TLS connections ("https://"), a successful
attacker must also spoof the web server's SSL certificate, due to the
way the WWW-Authenticate header is sent in a 401 (Unauthorized)
response message. Unfortunately, many instructions for enabling
HTTP-Negotiate in common web browsers do not include a TLS
requirement.
CVSSv2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C
[kaduk@mit.edu: CVE summary and CVSSv2 vector]
(cherry picked from commit f18ddf5d82de0ab7591a36e465bc24225776940f)
ticket: 8113 (new)
version_fixed: 1.11.6
status: resolved
|
|
(cherry picked from commit 4abfd7bc3819a66f77a1cf121b7608af624ecb6e)
ticket: 8112 (new)
version_fixed: 1.11.6
status: resolved
|
|
$(BUILDTOP)/include/profile.h was being updated by two different
rules, which could collide with make -j. Use a dependency from
includes instead of a redundant rule.
(cherry picked from commit 4d3827ac1b0e9e6447a132c57f3e2d74d3dfe8a9)
ticket: 8111 (new)
version_fixed: 1.11.6
status: resolved
|
|
For example, FreeBSD has removed RTM_OLDADD and RTM_OLDDEL from its API
in March 2014, with the message:
Garbage collect long time obsoleted (or never used) stuff from routing API
Only attempt to define behavior for these cases if they are defined.
(cherry picked from commit fd352d41a79013114708e99510b6be3836200237)
ticket: 8110 (new)
version_fixed: 1.11.6
status: resolved
|
|
To create worker processes, the KDC shuts down realms, forks off the
worker processes, then reinitializes realms in each child.
Reinitializing realms requires making a second pass over the
command-line arguments. To do this with getopt, optind must be
reinitialized to 1 for each pass; otherwise, no options will be seen
the second time around.
(cherry picked from commit 1776fd19120d230115527febbd22979eb64ee1ff)
ticket: 8109 (new)
version_fixed: 1.11.6
status: resolved
|
|
Detect the following cases which would otherwise cause invalid memory
accesses and/or integer underflow:
* An RFC 1964 token being processed by an RFC 4121-only context
[CVE-2014-4342]
* A header with fewer than 22 bytes after the token ID or an
incomplete checksum [CVE-2014-4341 CVE-2014-4342]
* A ciphertext shorter than the confounder [CVE-2014-4341]
* A declared padding length longer than the plaintext [CVE-2014-4341]
If we detect a bad pad byte, continue on to compute the checksum to
avoid creating a padding oracle, but treat the checksum as invalid
even if it compares equal.
CVE-2014-4341:
In MIT krb5, an unauthenticated remote attacker with the ability to
inject packets into a legitimately established GSSAPI application
session can cause a program crash due to invalid memory references
when attempting to read beyond the end of a buffer.
CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C
CVE-2014-4342:
In MIT krb5 releases krb5-1.7 and later, an unauthenticated remote
attacker with the ability to inject packets into a legitimately
established GSSAPI application session can cause a program crash due
to invalid memory references when reading beyond the end of a buffer
or by causing a null pointer dereference.
CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C
[tlyu@mit.edu: CVE summaries, CVSS]
(cherry picked from commit fb99962cbd063ac04c9a9d2cc7c75eab73f3533d)
ticket: 8108 (new)
subject: Handle invalid RFC 1964 tokens [CVE-2014-4341 CVE-2014-4342]
version_fixed: 1.11.6
status: resolved
|
|
If krb5_encrypt_keyhelper() returns an error, the ciphertext structure
may contain a non-zero length, but it will already have freed the
pointer to its data, making encrypt_credencpart()'s subsequent attempt
to clear and free the memory fail. Remove that logic.
Based on a patch from Jatin Nansi.
(cherry picked from commit 476284de8dc9a52b5544445cb1b316a417ae88f0)
ticket: 8107 (new)
version_fixed: 1.11.6
status: resolved
|
|
In create_identifiers_from_stack: check for allocation errors from
PKCS7_ISSUER_AND_SERIAL_new and M_ASN1_INTEGER_dup. Use
PKCS7_ISSUER_AND_SERIAL_free to more concisely clean up the OpenSSL
issuer variable, and make sure that any partially processed value is
cleaned up on error. Use calloc to allocate krb5_cas so that all of
its pointers are initially nulled, so that
free_krb5_external_principal_identifier can operate on it safely in
case of error. Eliminate the retval variable as it was not used
safely. Rename the error label from "cleanup" to "oom" and separate
it from the successful return path (which has nothing to clean up).
(back ported from commit 09246e64e20f079bef6163e9e1d0ecda7917b8c2)
(cherry picked from commit 62c9e504261a07b8da297854c9fc9549acecc7d3)
ticket: 8106 (new)
version_fixed: 1.11.6
status: resolved
|
|
Describe how to use a commercially-issued server certificate for
anonymous PKINIT. Separate the KDC and client configuration
instructions so that the steps necessary for anonymous PKINIT are not
combined with the additional steps necessary for regular PKINIT.
Describe kpServerAuth as the EKU used in commercially issued server
certificates, not as the value used by Microsoft (which does not
appear to be true according to [MS-PKCA]).
(cherry picked from commit 677c7753923e5efa078074611d4474fbcc10f6a1)
ticket: 8105 (new)
version_fixed: 1.11.6
status: resolved
|
|
This variable was never used in the PKINIT code as it was contributed;
there was only code to read its value.
(cherry picked from commit e161636590429aa78a3f04a8bbe0a36dda48a8ab)
ticket: 8104 (new)
version_fixed: 1.11.6
status: resolved
|
|
profile_flush_to_buffer, profile_flush_to_file, profile_free_buffer,
profile_init_flags, and profile_init_vtable are all public profile
functions, but are inaccessible to libkrb5 applications on some
platforms because they were never added to the export list. Add them
now.
(libprofile functions have never been part of the Windows DLL export
list, so do not change krb5_32.def at this time.)
(cherry picked from commit dc1a76ccc5d3a6972d0f21d38389ff39e54f283a)
ticket: 8103 (new)
version_fixed: 1.11.6
status: resolved
|
|
Per the ASN.1 definition, the KrbKey salt field is optional. Since
1.7, we have been treating it as mandatory in the encoder; since 1.11,
we have been treating it as mandatory in the decoder. Mostly by luck,
we have been encoding a salt type of 0 when key_data_ver is 1, but we
really should not be looking at key_data_type[1] or key_data_length[1]
in this situation. Treat the salt field as optional in the encoder
and decoder. Although the previous commit ensures that we continue to
always encode a salt (without any dangerous assumptions about
krb5_key_data constructors), this change will allow us to decode key
data encoded by 1.6 without salt fields.
This also fixes issue #7918, by properly setting key_data_ver to 2 if
a salt type but no salt value is present. It is difficult to get the
decoder to actually assign 2 to key_data_ver just because the salt
field is there, so take care of that in asn1_decode_sequence_of_keys.
Adjust kdbtest.c to match the new behavior by setting key_data_ver to
2 in both test keys.
(back ported from commit fb5cd8df0dbd04dac4f610e68cba5b80a3cb8d48)
ticket: 8102
version_fixed: 1.11.6
status: resolved
|
|
In the LDAP KDB module, ensure that every krb5_key_data we pass to
asn1_encode_sequence_of_keys includes a salt type, for compatibility
with the decoder in unpatched krb5 1.11 and 1.12.
This is not a behavior change by itself; since 1.7 the encoder has
always included a KrbKey salt field because it erroneously treats that
field as non-optional. (Luckily, the encoded salt always happens to
have salt type 0 because krb5_key_data constructors start with zeroed
memory.) The next commit will fix the encoder and decoder to properly
treat the KrbKey salt field as optional, so we need this change to
ensure that our encodings remain compatible.
Also fix the ASN.1 tests to set key_data_ver correctly for the sample
test key data.
(cherry picked from commit 1825455ede7e61ab934b16262fb5b12b78a52f1a)
ticket: 8102 (new)
version_fixed: 1.11.6
status: resolved
|
|
This feature was never implemented in the PKINIT code as it was
contributed; there was only stub support for reading the filename.
(cherry picked from commit 8da21b0ec18cf9306a8c1b3410d5c6ab36acdd21)
ticket: 8101 (new)
version_fixed: 1.11.6
status: resolved
|
|
Passing invalid slot IDs to C_OpenSession can cause some PKCS #11
implementations (such as the Solaris one) to crash. If a PKINIT
identity specifies a slotid, use it to filter the result of
C_GetSlotList, but don't try it if it does not appear in the list.
(cherry picked from commit ac406bac3d73a7e4efcc74adbb90c722457da969)
ticket: 8100 (new)
version_fixed: 1.11.6
status: resolved
|
|
krb5int_c_combine_keys is used only by SAM-2 preauth with neither the
send-encrypted-sad nor use-sad-as-key flags, so it isn't covered by
any automated function tests. Add some unit tests to make sure that
it works and returns the expected results for two randomly generated
test vectors.
(back ported from commit 6e8b2fba84df2ef74ce071330b4c3f843f4b7541)
ticket: 8099 (new)
version_fixed: 1.11.6
status: resolved
|
|
When krb5int_c_combine_keys was updated to use the new crypto
interface, a small bug was introduced. It turns out the temporary
keyblock created needs to have its enctype set; otherwise, when
krb5int_derive_keyblock() is called later, it will fail with
KRB5_BAD_ENCTYPE.
(cherry picked from commit 89803a5a781107365d5a4534eebf48dbaf010f96)
ticket: 8098 (new)
version_fixed: 1.11.6
status: resolved
|
|
In add_admin_princ, remove build_name_with_realm and call asprintf
directly instead. Check for asprintf failure to avoid passing an
undefined pointer to krb5_parse_name.
[ghudson@mit.edu: rewrite commit message]
(cherry picked from commit f5645d30cf83398640c386a612eb6f07c543286f)
ticket: 8097 (new)
version_fixed: 1.11.6
status: resolved
|
|
Due to an inverted test in adb_policy_init, kadm5_flush calls
krb5_db_open twice. With the DB2 KDB module, the second open is a
no-op, but with the LDAP module, a new DB handle is allocated and the
old one is leaked.
[ghudson@mit.edu: rewrote commit message]
(cherry picked from commit 372e4cb6f5d4a603e6e3157c7b5d354953836136)
ticket: 8096 (new)
version_fixed: 1.11.6
status: resolved
|
